diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-5772-1.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-5772-1.patch new file mode 100644 index 0000000000..cc285ed58b --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-5772-1.patch @@ -0,0 +1,25 @@ +From 9fe2213ba1fd8a05f7fa9b95fa940530b445bae9 Mon Sep 17 00:00:00 2001 +From: Kareem +Date: Wed, 1 Apr 2026 11:28:45 -0700 +Subject: [PATCH] Exit MatchDomainName if pattern or string length reach 0. + +CVE: CVE-2026-5772 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/1274c7b5e7e9e28d88caf60662f6f9624bf834b7] +Signed-off-by: Ankur Tyagi +--- + src/internal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/internal.c b/src/internal.c +index ccfecc235..1c217b902 100644 +--- a/src/internal.c ++++ b/src/internal.c +@@ -12898,7 +12898,7 @@ int MatchDomainName(const char* pattern, int patternLen, const char* str, + if (pattern == NULL || str == NULL || patternLen <= 0 || strLen == 0) + return 0; + +- while (patternLen > 0) { ++ while (patternLen > 0 && strLen > 0) { + /* Get the next pattern char to evaluate */ + char p = (char)XTOLOWER((unsigned char)*pattern); + if (p == '\0') diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-5772-2.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-5772-2.patch new file mode 100644 index 0000000000..3ca26a8d9e --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-5772-2.patch @@ -0,0 +1,35 @@ +From 89938195b946f709f40f653d90ce215f868c7d79 Mon Sep 17 00:00:00 2001 +From: Kareem +Date: Wed, 1 Apr 2026 11:50:17 -0700 +Subject: [PATCH] Rework check to avoid changing existing logic. + +CVE: CVE-2026-5772 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/90d631232308a59a03f6f6f455f9ac373db7af3d] +Signed-off-by: Ankur Tyagi +--- + src/internal.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/internal.c b/src/internal.c +index 1c217b902..6af03cbf0 100644 +--- a/src/internal.c ++++ b/src/internal.c +@@ -12898,7 +12898,7 @@ int MatchDomainName(const char* pattern, int patternLen, const char* str, + if (pattern == NULL || str == NULL || patternLen <= 0 || strLen == 0) + return 0; + +- while (patternLen > 0 && strLen > 0) { ++ while (patternLen > 0) { + /* Get the next pattern char to evaluate */ + char p = (char)XTOLOWER((unsigned char)*pattern); + if (p == '\0') +@@ -12964,6 +12964,9 @@ int MatchDomainName(const char* pattern, int patternLen, const char* str, + wildcardEligible = 0; + } + ++ if (strLen == 0) ++ return 0; ++ + /* Simple case, pattern match exactly */ + if (p != (char)XTOLOWER((unsigned char) *str)) + return 0; diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb index 34a3cd17bb..54a1e401d4 100644 --- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb +++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb @@ -44,6 +44,8 @@ SRC_URI = " \ file://CVE-2026-5446-1.patch \ file://CVE-2026-5446-2.patch \ file://CVE-2026-5447.patch \ + file://CVE-2026-5772-1.patch \ + file://CVE-2026-5772-2.patch \ " SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"